Wired Magazine claims in its headlines that one should “Break Out a Hammer” because “You’ll Never Believe the Data ‘Wiped’ Smartphones Store.” The implication is that information remains behind on smartphones when they are wiped. While there is nothing factually wrong with the article, the headline is misleading. You might as well proclaim, “Dinosaurs dangerous to mammals the size of humans.” Nothing factually wrong with that observation, either….
No, you don’t need to break out a hammer. Or a gun. Or your drill. You just have to be smart about your smartphones. Not only does this mean securing them with a passcode; configuring your settings so that things don’t run automatically; using antivirus (if available); and potentially using MDM software to manage smartphones and tablets, it also means knowing what your phone can and cannot do.
What Do You Mean by “Wiping Data?”
Why is Wired recommending that people trash their smartphones as opposed to wiping them? Because, just like laptop computers, wiping data doesn’t necessarily mean “wiping data.” You know, just like the word “theory” has a different connotation when used in science vs. everyday use.
As it turns out, and this shouldn’t be news to readers of this blog, sometimes trace data (or more. Much more) is left behind when a device’s data is “wiped.” If by wiped, you mean you’ve deleted files… well, you haven’t really wiped anything. And, we already know that if a laptop computer is reformatted, then most of the old data is still in place: the process of reformatting just preps the device for a new installation, and has nothing to do with data security, which requires overwriting of data. This is, of course, true for smartdevices as well (and why wouldn’t it be?).
Plus, it turns out that flash-based storage systems cannot have their data easily overwritten like their magnetic-platter counterpart, meaning that wiping data on solid state drives is something other than wiping data, regardless of which method you’re referring to: file deletion, formatting, or data overwrites.
In order to penetrate the enterprise market, companies like Apple and Google have designed their devices to ensure that data is wiped when, well, when you wipe it. For example, it’s not uncommon knowledge that Apple’s devices make use of AES-256 hardware encryption. Lose the encryption key – which is what happens when you wipe your iPhone – and your data is gone. There’s a caveat, though: it only applies to relatively modern iterations of the iPhone. To be more specific, the iPhone 3GS and onward (something Wired was forced to acknowledge after going live with the article):
Update 04/01/13 13:22: Story updated to note iPhone 3GS and newer models use a hardware encryption key.
Same goes for Android OS. Older devices didn’t have full disk encryption, but FDE has been a standard feature since Ice Cream Sandwich (i.e., Android 4.0. It was actually available in Android 3.0, but potatoes poh-tah-tohs).
Old Phones: They’re Old
The phones that Wired tested were the following:
- iPhone 3GS??2008 to 2010
- LG Dare?? 2008 to 2010
- LG Optimus??2010 to present
- Motorola Droid?2009 to present
The article only made reference that they were “old” so I had to look up when they first became available and when they were discontinued. As you can see, these are old phones, especially when you consider that smartphones are really computers in disguise and their hardware hasn’t quite been keeping up with software upgrades. For example, I know of no one that uses a 3GS because newer versions of iOS slow the phone to a crawl.
If you’re going to comment on the state of security for smartphones…well, why only test old phones? I mean, it’s not as if they didn’t have newer phones. Wired went out of their way to get old phones (my emphasis):
We rounded up every old phone we could scrounge up from around the office and asked the owners to wipe them.
What’s the verdict on new or newer phones’ security? We can’t tell from the article because they were excluded. Why? Did the “new phone” lobby get to them?
It’s Not Even a Phone Issue
Then there is the fact that one of the security issues is not a phone issue per se.
Take the two Motorola devices. Both were wiped, and neither had much to speak of stored in their built-in memory, just some application data with no personally identifiable fingerprints.
But one user left his micro SD card in the phone. Although the contents of the card were deleted, the card had not been formatted. This, apparently, meant the files were recoverable.
So, this old-ish phone’s wipe functionality worked correctly, but the micro SD storage was overlooked. Uh, hey… how about not leaving your micro SD card in the phone when you get rid of it? How exactly is this a phone problem?
(Plus, what’s this thing about formatted SD cards being “wiped”? Researchers have found that, apart from applying full encryption and then losing the encryption key, there’s no real way to completely wipe data from flash-based storage.)
Don’t get me wrong. Sensitive information on external media is a big issue, especially for companies that are embracing BYOD. It’s the reason why AlertBoot Mobile Security, offers the ability to force encryption on Android phones where SD cards are present. But at the end of the day, the end user also has to have an active hand in securing data. If they’re going to forget their SD card in the phone, are they going to remember to wipe a phone before selling it or giving it away?
Related Articles and Sites: